Pass of DAP/VDAF up to communication patterns

The gist is that we lean more heavily on the DAF section for the
normative VDAF definition. We replace the sharding, aggregation, and
unsharding sections with references to the same topics for DAFs, plus
pointers to subsections or bounds on behavior wherever relevant.

* Harmonize language around report rejection. That is, invalid
  measurements manifest as failures to complete preparation rather than
  "errors computed by each Aggregator".

* Harmonize "BATCH_SIZE" in intro with "MEAS_COUNT" in DAF aggregation
  section. What we want is actually `num_measurements`, as this is the
  parameter name for unsharding, but this is a little too long to put in
  figures. Go with `M`, as this is short and seems the least fussy.

* Move illustrations to the top of sections.

* Define "public share" before its first use.

* Remove the paragraph in the DAF overview about the ID. It doesn't
  really help clarify anything, and we don't use it at all in this
  section.

* Expand the CSPRNG acronym where it's first used.

* Add a paragraph to DAF sharding that explains the role of the nonce.

* Add a paragraph to DAF preparation saying the Aggregators MUST agree
  on the agg param.

* Add a forward reference to `format_dst()`.

* In VDAF preparation, define `prep_shares_to_prep()` prior to
  `prep_next()` since this is the order in which they're executed.

* RECOMMEND specifying an encoding for `AggParam`.

* Use consistent language about the nonce.